CVE-2026-28775
CRITICALIDC SFX Series SuperFlex SatelliteReceiver - Default SNMP Community Root Command Execution
Title source: manualDescription
An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the `private` SNMP community string with read/write access by default. Because the SNMP agent runs as root, an unauthenticated remote attacker can utilize `NET-SNMP-EXTEND-MIB` directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.
References (2)
Core 2
Core References
Various Sources
https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/
Various Sources
https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Scores
CVSS v3
9.8
EPSS
0.0120
EPSS Percentile
64.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1188
Status
published
Products (1)
datacast/sfx2100_firmware
Published
Mar 04, 2026
Tracked Since
Mar 04, 2026